Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe
Resource
win10v2004-20240508-en
General
-
Target
5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe
-
Size
1.3MB
-
MD5
44458945e94a220f25a7c9be7a00431e
-
SHA1
c8bf329b998fccc2af3c7c1abb7226d666ce2401
-
SHA256
5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276
-
SHA512
ff729f50f129d013f8eb4fcddafc3d7eae23c879a8d828420e98fa1daa81ef2d9b82e7ace3f065d230d7b22e6a8d3199da6c716af58166e4f8e805f332bf3242
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaIGQq3t9JT90/jgmsBsrYm5:oh+ZkldoPK8Yaoq3dB0MlsrZ
Malware Config
Extracted
Protocol: smtp- Host:
mail.ppg-pa.com - Port:
587 - Username:
[email protected] - Password:
DKKfy2001$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
resource yara_rule behavioral1/memory/2652-35-0x0000000000450000-0x00000000004A6000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-41-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-40-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-43-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-45-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-81-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-47-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-99-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-49-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-51-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-53-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-55-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-57-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-59-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-61-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-63-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-65-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-67-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-69-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-71-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-97-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-95-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-93-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-91-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-90-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-87-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-86-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-83-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-79-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-77-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-75-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2652-73-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs
resource yara_rule behavioral1/memory/2652-35-0x0000000000450000-0x00000000004A6000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-41-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-40-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-43-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-45-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-81-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-47-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-99-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-49-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-51-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-53-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-55-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-57-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-59-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-61-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-63-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-65-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-67-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-69-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-71-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-97-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-95-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-93-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-91-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-90-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-87-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-86-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-83-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-79-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-77-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-75-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2652-73-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs
resource yara_rule behavioral1/memory/2652-35-0x0000000000450000-0x00000000004A6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-41-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-40-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-43-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-45-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-81-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-47-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-99-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-49-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-51-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-53-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-55-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-57-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-59-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-61-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-63-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-65-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-67-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-69-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-71-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-97-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-95-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-93-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-91-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-90-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-87-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-86-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-83-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-79-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-77-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-75-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2652-73-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs
resource yara_rule behavioral1/memory/2652-35-0x0000000000450000-0x00000000004A6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-41-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-40-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-43-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-45-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-81-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-47-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-99-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-49-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-51-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-53-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-55-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-57-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-59-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-61-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-63-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-65-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-67-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-69-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-71-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-97-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-95-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-93-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-91-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-90-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-87-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-86-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-83-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-79-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-77-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-75-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2652-73-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs
resource yara_rule behavioral1/memory/2652-35-0x0000000000450000-0x00000000004A6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-41-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-40-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-43-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-45-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-81-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-47-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-99-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-49-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-51-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-53-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-55-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-57-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-59-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-61-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-63-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-65-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-67-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-69-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-71-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-97-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-95-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-93-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-91-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-90-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-87-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-86-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-83-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-79-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-77-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-75-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2652-73-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs
resource yara_rule behavioral1/memory/2652-35-0x0000000000450000-0x00000000004A6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-37-0x0000000000D60000-0x0000000000DB4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-41-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-40-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-43-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-45-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-81-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-47-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-99-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-49-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-51-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-53-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-55-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-57-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-59-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-61-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-63-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-65-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-67-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-69-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-71-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-97-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-95-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-93-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-91-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-90-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-87-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-86-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-83-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-79-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-77-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-75-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2652-73-0x0000000000D60000-0x0000000000DAF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs antholite.exe -
Executes dropped EXE 1 IoCs
pid Process 1120 antholite.exe -
Loads dropped DLL 1 IoCs
pid Process 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000014207-12.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1120 set thread context of 2652 1120 antholite.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2652 RegSvcs.exe 2652 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1120 antholite.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2652 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 1120 antholite.exe 1120 antholite.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 1120 antholite.exe 1120 antholite.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2652 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1120 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 28 PID 1796 wrote to memory of 1120 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 28 PID 1796 wrote to memory of 1120 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 28 PID 1796 wrote to memory of 1120 1796 5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe 28 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29 PID 1120 wrote to memory of 2652 1120 antholite.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe"C:\Users\Admin\AppData\Local\Temp\5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\troopwise\antholite.exe"C:\Users\Admin\AppData\Local\Temp\5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\5f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.3MB
MD544458945e94a220f25a7c9be7a00431e
SHA1c8bf329b998fccc2af3c7c1abb7226d666ce2401
SHA2565f3b37688eecd92c1ef6fee755f65bc758972a260e74986407e7e7c51dcb5276
SHA512ff729f50f129d013f8eb4fcddafc3d7eae23c879a8d828420e98fa1daa81ef2d9b82e7ace3f065d230d7b22e6a8d3199da6c716af58166e4f8e805f332bf3242